When I create a packet filter (eg for only tcp traffic) with
tcpdump -dd tcp
the packet filter output is
{ 0x28, 0, 0, 0x0000000c },
{ 0x15, 0, 2, 0x000086dd },
{ 0x30, 0, 0, 0x00000014 },
{ 0x15, 3, 4, 0x00000006 },
{ 0x15, 0, 3, 0x00000800 },
{ 0x30, 0, 0, 0x00000017 },
{ 0x15, 0, 1, 0x00000006 },
{ 0x6, 0, 0, 0x0000ffff },
{ 0x6, 0, 0, 0x00000000 },
But when I do the same programatically;
pcap_compile_nopcap(1500, DLT_EN10MB, &fcode, "tcp", 1, 0);
struct bpf_insn *insn = fcode.bf_insns;
for (i = 0; i < fcode.bf_len; ++insn, ++i)
{
printf("{ 0x%x, %d, %d, 0x%08x },\n",
insn->code, insn->jt, insn->jf, insn->k);
}
I get the following packet filter output:
{ 0x28, 0, 0, 0x0000000c },
{ 0x15, 0, 5, 0x000086dd },
{ 0x30, 0, 0, 0x00000014 },
{ 0x15, 6, 0, 0x00000006 },
{ 0x15, 0, 6, 0x0000002c },
{ 0x30, 0, 0, 0x00000036 },
{ 0x15, 3, 4, 0x00000006 },
{ 0x15, 0, 3, 0x00000800 },
{ 0x30, 0, 0, 0x00000017 },
{ 0x15, 0, 1, 0x00000006 },
{ 0x6, 0, 0, 0x000005dc },
{ 0x6, 0, 0, 0x00000000 },
Why are the two packet filters different?
Probably because the tcpdump on your system is built with an older version of libpcap than your program. The tcpdump on your system is probably using a libpcap without this change:
and your program is probably using a libpcap with that change. That change went into libpcap somewhere in the libpcap 1.3.x timeframe.